SiliconAngle reports that nearly identical ransomware payloads that only differed in contact information and victim-specific details have been utilized by the HellCat and Morpheus ransomware-as-a-service operations, which have targeted high-profile organizations since their emergence in mid and late 2024, respectively.
Aside from leveraging Windows Cryptographic Application Programming Interface for encrypting data aside from critical system files, both HellCat and Morpheus had ransom notes ordering victims to access their respective .onion portals using the provided credentials, according to a SentinelOne analysis. Despite similarities with the Underground Team ransomware gang that may suggest a shared builder application or codebase, HellCat and Morpheus were observed by SentinelOne researchers to have structurally and functionally different payloads indicating independent development. Such findings highlight the importance of implementing more robust threat detection and defense strategies informed by the shared resources employed by various ransomware groups, said researchers.